The Cost of Not Having an Incident Response Plan
The Cost of Not Having an Incident Response Plan
GBP 32.7 million is the estimated impact of the Synnovis ransomware attack in June 2024. An NHS pathology provider, hit by the Qilin group, with blood testing reduced to 10% capacity across affected London hospitals, over 10,000 appointments postponed, and one patient death confirmed as a contributing factor.
GBP 6 to 7 million is what the British Library spent recovering from the Rhysida ransomware attack in October 2023, with months of disrupted services. A database of personal details leaked onto the dark web. The recovery consumed 40% of their financial reserves.
Both organisations had security controls in place. Neither breach was simply a matter of missing firewalls or disabled antivirus. The damage escalated because the response couldn't match the speed and scale of the attack.
The response gap is where the money goes
Most businesses think about cyber security as prevention. Install the firewall, enable MFA, and keep patches current. Those are the right things to do. CE tests for exactly those controls, and they stop the majority of attacks.
But prevention has a failure rate that no amount of spending eliminates. 43% of UK businesses reported a breach or attack in 2025 (Cyber Security Breaches Survey). Many of those businesses had protective controls in place. The controls didn't fail completely, but the attacks got through anyway, because attackers are persistent, because human error creates gaps, and because novel techniques exist that no configuration prevents.
When prevention fails, the next thing that matters is how fast you respond. And most UK businesses have no plan for that moment.
What "no plan" actually looks like
The first time most SMEs practise responding to a breach is during an actual breach.
There's no documented decision tree, and nobody has been assigned responsibility for containment. The insurance policy number is in someone's email, but that email is on an encrypted laptop. The regulator's reporting requirements say 72 hours, but nobody knows who contacts the ICO, what information they need, or what format the report should take.
In those first hours, the people making decisions are doing two things at once: trying to understand what happened and trying to figure out who does what. Those two activities compete for the same attention, and both suffer.
An incident response plan separates the "what do we do" question from the "who does it" question. Both get answered in advance, calmly, without an attacker inside the network. When the breach happens, you open the plan and follow it. You don't design the response while it's happening.
What tested response capability costs versus what a breach costs
An incident response plan costs time, not money. Writing it takes a day, and testing it through a tabletop exercise takes half a day. Doing that once a year is a day and a half of work.
A breach without a plan costs whatever it costs. For Synnovis, that meant GBP 32.7 million in impact; for the British Library, GBP 6-7 million. For a 50-person accountancy firm, the number is smaller, but proportionally it can be worse. A small business doesn't have GBP 6 million in reserves. It doesn't have a PR team to manage communications. It doesn't have backup legal counsel on retainer.
The numbers aren't comparable in any reasonable sense. A day and a half of planning versus months of disruption.
What goes into a response plan
Decision authority
Someone has to decide what happens when the ransomware note appears. Not "the board" in abstract, but a named person with the authority to approve or reject a ransom payment, to authorise system shutdowns, to approve customer communications.
Under the UK's confirmed ransomware payment regime, that decision has regulatory consequences. Paying without reporting to the government is a violation. The person making the call needs to know the rules before they're in the situation.
Contact list (printed)
Who gets called first, and in what order? Your IT support, your insurer's incident response line, your legal advisor, the NCSC incident reporting portal, your sector regulator (ICO, FCA, SRA), and your communications lead if you have one.
This list needs to exist somewhere that won't be encrypted with everything else. Print it, put it in a desk drawer, and give copies to at least three people, because the irony of an incident response contact list stored only on the systems that are currently down is not funny when you're living through it. (referenced in the foundational assurance benchmarking report).
Containment steps
What gets isolated first, and which systems can be taken offline without stopping the business entirely? If your email is compromised, do you have an alternative communication channel? If your backup server is on the same network, is it isolated?
These questions have different answers for every business. A law firm's priorities are different from a manufacturer's. The plan needs to reflect your specific setup, not a generic template.
Regulatory reporting
The ICO requires notification within 72 hours if personal data is involved. The FCA has its own reporting timeline for financial services. The SRA expects firms to report matters affecting client data. Under the upcoming ransomware legislation, initial reporting to the government is mandatory within 72 hours for all victims.
Your plan should include pre-populated templates for each regulator you report to. The information you already know (your organisation details, your data processing summary, your key contacts) should be filled in before the incident. During the incident, you fill in the gaps, not the whole form.
Recovery procedures
How do you actually restore from backup, and how long does it take? If the answer is "I think our MSP handles that," you need a more specific answer. What's the MSP's service level agreement for disaster recovery? Have they tested it, and when was the last successful restore?
The British Library's recovery took months partly because recovery procedures hadn't been tested against this type of attack. Testing recovery annually, even informally, reduces the time from incident to operational by a significant margin.
The exercise that changes everything
A tabletop exercise is the lowest-effort, highest-impact thing you can do for incident response readiness. You don't need to simulate an actual attack. You sit around a table (or a video call) and walk through a scenario.
"It's a Tuesday at 14:00, and your accounts team reports that they can't access the finance system. Two minutes later, your IT person discovers ransomware notes on three servers. What do you do?"
Then you walk through the plan. Who gets called and in what order? Who makes the decision about the ransom demand? Who contacts the ICO and what happens to client-facing services? How do you communicate with your team?
The first time you do this, the plan will have gaps, and that's the point. Finding gaps in a tabletop exercise is cheap. Finding them during an actual breach is expensive.
CE doesn't cover this
CE tests the Protect function: firewalls, patching, access control, malware protection, and secure configuration. Those controls exist to prevent attacks from succeeding. They don't address what happens when one gets through.
Incident response sits in the Respond function of the NIST Cybersecurity Framework, detection sits in the Detect function, and recovery sits in the Recover function. CE covers none of these, and that's not a flaw in CE. It's a scope limitation that businesses need to understand.
If you want to know what CE covers and what it doesn't, read the 6 things Cyber Essentials doesn't cover. If you want to see how response planning fits into a complete security programme, read how Cyber 365 maps all six NIST functions.
If you want to check where you stand on the controls CE does cover, the readiness quiz takes five minutes with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips, with no spam and no sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Why Cyber Essentials Isn't Enough
- Your Business Can't Pay Ransoms Anymore
- Qilin: The Ransomware Group That Disrupted NHS Blood Tests
- Cyber 365: How Our Security Framework Works
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
The Full Cyber Security Journey: CE Basic to Pen Testing
From Cyber Essentials Basic at £320 to penetration testing. The complete path through CE Plus, Cyber 365, and beyond, with pricing at each stage and why each step matters.
The 6 Things Cyber Essentials Doesn't Cover
CE covers Protect. Here are the five NIST functions it misses, with real consequences for each gap.
Cyber 365 for Financial Services: Meeting FCA and DORA Requirements
The FCA expects operational resilience testing. DORA requires ICT risk management. CE covers one function. Here's how Cyber 365 bridges the gap.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.